name: PR from External Contribution Detector

on:
  pull_request_target:
    types:
      - opened
      - reopened

jobs:
  labeler:
    if: |
      (
        (github.event.pull_request.author_association != 'OWNER') &&
        (github.event.pull_request.author_association != 'COLLABORATOR') &&
        (github.event.pull_request.author_association != 'MEMBER')
      )
    runs-on: ubuntu-latest
    name: Label PRs
    permissions:
      pull-requests: write
    steps:
        # Detect if the secret 'CHECK_TEAM_ORG_APP_ID' is set. If it's not set, don't
        # bother running this GH workflow.
      - name: Check if CHECK_TEAM_ORG_APP_ID is set in github secrets
        id: check_secret
        run: |
          echo "is_CHECK_TEAM_ORG_APP_ID_set: ${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}"
          echo is_CHECK_TEAM_ORG_APP_ID_set="${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" >> $GITHUB_OUTPUT

      - name: Get token
        # Get a token with the read:org permissions so that the GH action
        # can read the team membership for a user. We need to do this over a
        # GH app because GH actions don't have support for these type of
        # permissions.
        if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
        id: get_token
        uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
        with:
          APP_PEM: ${{ secrets.CHECK_TEAM_ORG_PEM }}
          APP_ID: ${{ secrets.CHECK_TEAM_ORG_APP_ID }}

      - name: Check author association
        if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        id: author_association
        # https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#check-organization-membership-for-a-user
        with:
          github-token: ${{ steps.get_token.outputs.app_token }}
          script: |
            try {
              const result = await github.rest.orgs.checkMembershipForUser({
                org: "${{ github.repository_owner }}",
                username: "${{github.event.pull_request.user.login}}",
              })
              return result.status == 204;
            } catch {
              return false;
            }

      - name: Print author association
        if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
        run: |
          echo author_association_from_event=${{ github.event.pull_request.author_association }}
          echo author_association_from_api=${{ steps.author_association.outputs.result }}

      - name: Set label
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' && steps.author_association.outputs.result != 'true' }}
        with:
          script: |
            github.rest.issues.addLabels({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: ["kind/community-contribution"]
            })
